Many SaaS companies overlook a key component of their business strategy: Security. From password management to secure coding to aligning with regulatory standards, SaaS companies often forego information security at the beginning and are often forced to address security only when it becomes too late.
So why do SaaS companies tend to overlook their information security posture, or push it to the side to deal with later? It could be cultural, in the sense that company leadership just hasn’t made security a top priority. It could be systemic if no one at the company was put in charge of overseeing security policies and procedures, and no governance set up. A company may get overconfident in the fact that “someone else” is taking care of it without actually knowing who, or they may rely too much on one department or team for security implementation. It could also be a false sense of security from trusting third-party cloud applications to cover everything (aka “We’re secure because we use AWS”).
There may also be a lack of understanding of how important having a strong security approach is for a SaaS vendor selling to enterprise companies. Hackers are increasingly targeting supply chains, knowing that lax security postures in vendors give them an easy backdoor into bigger companies. Sometimes SaaS companies think they have the right certifications, tests, or standards in place until they receive a questionnaire from a client asking them to explain their security policies — which they then can’t.
The good thing is that SaaS companies can take immediate actions to begin putting together an information security plan. And more mature companies can always take steps to strengthen and expand their policies too. Here are a few ways to start.
Start with a Security Meeting
Hold a security meeting to get everyone pointed in the same direction when it comes to having a security-minded focus — not just senior leadership, but every department. Invite key team members, and create a plan:
- What systems need to be protected, and how much protection do they have already?
- What are the known security risks?
- Have you tested for unknown security risks?
- What kind of encryption do you use?
- What is your policy when it comes to employee passwords or two-step verification?
- Is there a response plan in case an incident occurs?
Before you think about outsourcing, start with your team and your resources to build your security plan. And don’t just have one meeting — you need to meet regularly to discuss ongoing concerns or new issues as they arise.
Know Which Frameworks and Regulations You Need
Are you in compliance with the right frameworks and regulations? As you begin putting your security plan in place and start thinking through how to handle customer data and privacy regulations, you’ll want to make sure your compliance is up-to-date. SaaS companies often look to align with SOC 2 requirements, which evaluate how organizations handle and process customer data. You may also need to comply with industry-specific standards, like HIPAA, PCI DSS, or regional privacy laws. Also, find out what standards your clients are compliant with, because as their vendor you may have contractual obligations to be compliant with those requirements as well.
Review the Strategy Around Policies and Procedures
Does your company already have a set of policies and procedures to follow when it comes to security? Your policies should be actionable and should be unique to your company. For instance, how should your developers be implementing security into the source code? How should different departments who work with customer data — like support, sales, or marketing — be handling it? Who has access to customer data? If there is a data breach, who responds? If there are no policies and procedures, make creating them a priority. You don’t have to do this from scratch — find a tool that can automatically generate custom security policies for you. And if your policies exist only on one person’s computer or are passed around as oral institutional knowledge, get them thoroughly documented and available to everyone ASAP.
Do a Hardware and Software Asset Inventory
You won’t know what you need to secure if you don’t know what assets you have, so take an inventory of your hardware and your software. Are there any outdated systems that need patching, or were just forgotten about? They can be easy targets for hackers looking for an open doorway inside. Additionally, inventory who has access to your hardware, and what kind of controls you have around who gets access. Is your software updated? Do you need to uninstall any software that your company no longer uses? By laying out the perimeter of your property, so to speak, you’ll be better able to defend it.
Ask for Advice
Finally, no one needs to figure out information security in a vacuum, and your team will be facing a lot of unknown unknowns. Ask colleagues for advice or recommendations, seek out security experts to help, or look into outsourcing security tasks to those who have the training. Ask questions, and be honest with what you don’t know.
Where to start when it comes to information security for SaaS companies? Make sure your team has a security mindset and sees the value in keeping your company and your clients safe. If you don’t yet have a security program in place, the important thing is to start. But security is never a fix-it-and-forget-it thing, it takes continuous vigilance and commitment.